The exchange of electronic data between European and US companies forms a critical part of the myriad services now delivered digitally over the internet-business valued at over $250 billion, according to US Commerce Department figures.
Until recently, companies could self-certify that they would ensure European data transferred to the US had the same protections mandated under more privacy-focused EU laws. All they had to do was sign up online to a programme called Safe Harbour, agreed between the EU and US 15 years ago.
But then came the steady dribble of disclosures from whistleblower and former US National Security Agency contractor Edward Snowden. He revealed extensive, secretive US programmes for mass surveillance and digital data-gathering, involving many of the largest American telecommunications and internet companies.
Amid heightened tensions over such spying, an Irish court case, taken by Austrian law student Max Schrems against the Irish Data Protection Commissioner, was fast-tracked to the European Court of Justice. The case centred on Schrems' contention that Facebook – which has its European headquarters here, in Dublin – had unlawfully allowed European data to be collected by the NSA as part of the agency's clandestine Prism programme.
In a dramatic decision, the justices sides with Schrems, invalidating Safe Harbour and leaving 4,300 companies in data protection limbo, with no easy way to certify compliance with European law.
Safe Harbour deserved to be overturned. It was little more than a box ticking exercise for companies. Neither the European Commission nor US authorities had ever shown much interest in enforcing it, and the programme had a laughable level of oversight.
But what were companies to do?
Last October, the Article 29 Working Group of European data protection authorities gave the Commission three months to come up with an alternative. But the US and EU have very different views on privacy – a fundamental right in Europe, but without constitutional protection in the US, where security often trumps privacy – making negotiations long and fraught.
That deadline came this week, and had passed, before negotiators announced a replacement proposal, called Privacy Shield. Industry lobbies, the US Chamber of Commerce, even the Irish Government rushed to welcome it in tweets and press releases. But they are jumping the digital gun.
While Privacy Shield was presented as a comprehensive new agreement, in truth it has not even been formally drafted, nor approved by the European Parliament.
Its provisions – including “written assurances” that EU data won’t be slurped by US surveillance agencies; an independent US ombudsman; and an annual review – seem to fall worryingly short of the ECJ’s demand for firm legal safeguards and oversight.
For now, Privacy Shield falls into the “something is better than nothing” camp, a bid to allow digital transfers continue. We will not know if it is Safe Harbour’s acceptable replacement until, inevitably, a new challenge is referred to the ECJ.